locked
Problem installing RMS Mobile Device Extensions on RMS Server RRS feed

  • Question

  • Hello,

    I'm having this issue when i try to install MDE on RMS Server.

    "Product: Active Directory Rights Management Services Mobile Device Extension -- AD RMS server role is not configured on the server. Please configure it first then install the Active Directory Rights Management Services Mobile Device Extension."

    The AD RMS Server Role is installed on the server.

    Any help will be appreciated

    Thanks

    • Edited by mlourenco Friday, June 3, 2016 9:53 AM
    Thursday, June 2, 2016 5:01 PM

All replies

  • That's odd.

    Is there anything non-standard about the ADRMS server?

    Is the default website renamed?

    Are you using the standard application pool that is created when ADRMS is installed?

    Is it running on a different port or using host headers?

    Friday, June 3, 2016 8:22 PM
  • Hello,

    Thanks for the reply. 

    Is there anything non-standard about the ADRMS server?  No

    Is the default website renamed? No

    Are you using the standard application pool that is created when ADRMS is installed? Yes

    Is it running on a different port or using host headers? I'm using the HTTP and HTTPS ports with no Headers

    Also i have two similar enviroments and on the test environment i has able to install the MDE fine.




    • Edited by mlourenco Monday, June 6, 2016 2:06 PM
    Monday, June 6, 2016 1:53 PM
  • Try to run installation with logging, run cmd as Administrator and execute "ADRMS.MobileDeviceExtension.exe /log adrmsmobileext.log", when it completed, locate logfile in the same dir as installation file. Prodive details here.

    I think problem with your site name, it should be "Default Web Site"

    Wednesday, June 8, 2016 8:51 AM
  • Hello,

    The site name is default website 

    

    Can i send you the log via private message?

    • Edited by mlourenco Wednesday, June 8, 2016 10:16 AM
    Wednesday, June 8, 2016 10:12 AM
  • I saw previously posted log, very strange.  This week i tested AD RMS/ADFS mobile extension in different deployments and never got error like yours.

    One more question, Do you use MS SQL for your AD RMS?

    Mobile Device Extensions requires full MS SQL, Windows Internal not supported.

    https://technet.microsoft.com/en-us/library/dn673574(v=ws.11).aspx

    Wednesday, June 8, 2016 12:05 PM
  • Hello,

    Thanks for your answers.

    Yes i'm using a MS SQL for ADRMS.

    I'm also using two AD RMS servers and the error is the same on both :(

    Wednesday, June 8, 2016 1:18 PM
  • Interesting. So are these two ADRMS servers members of the same cluster (share the same database?)
    Is ADRMS running on Server 2012 R2? Was ADRMS upgraded from a previous version?

    If you look in the DRMS_Config database under DRMS_ClusterPolicies what is the value for Drmsfileversion?

    Wednesday, June 8, 2016 9:04 PM
  • Hello,

    Thanks Again 

    The two servers are members of the same cluster. 

    The ADRMS was installed in this version Windows Server 2012 R2 (new instalation, never upgraded, only windows updates, critical and security).

    PolicyName PolicyData

    DrmsAssemblyVersion 6.3.0.0
    AdRmsFileVersion 6.3.9600.16384
    AdRmsFunctionalVersion 8.0.0.0


    • Edited by mlourenco Thursday, June 9, 2016 10:03 AM
    Thursday, June 9, 2016 10:03 AM
  • Can you post that install log somewhere and send a link?
    Or if the errors are obvious in one section of the log, just copy and paste

    Friday, June 10, 2016 11:10 PM
  • Can i send you log via PM or something? If you want the full log i can provide it. 

    MSI (c) (28:74) [11:57:35:653]: PROPERTY CHANGE: Adding DRMSCONFIGSTATUS property. Its value is '#2'.
    Action ended 11:57:35: AppSearch. Return value 1.
    MSI (c) (28:74) [11:57:35:653]: Doing action: LaunchConditions
    Action 11:57:35: LaunchConditions. Evaluating launch conditions
    Action start 11:57:35: LaunchConditions.
    AD RMS server role is not configured on the server. Please configure it first then install the Active Directory Rights Management Services Mobile Device Extension.
    MSI (c) (28:74) [11:57:38:310]: Product: Active Directory Rights Management Services Mobile Device Extension -- AD RMS server role is not configured on the server. Please configure it first then install the Active Directory Rights Management Services Mobile Device Extension.

    Action ended 11:57:38: LaunchConditions. Return value 3.
    MSI (c) (28:74) [11:57:38:310]: Doing action: FatalError
    Action 11:57:38: FatalError. 
    Action start 11:57:38: FatalError.
    Action 11:57:38: FatalError. Dialog created
    MSI (c) (28:A4) [11:57:38:356]: Note: 1: 2731 2: 0 
    Action ended 11:57:39: FatalError. Return value 2.
    Action ended 11:57:39: INSTALL. Return value 3.




    • Edited by mlourenco Tuesday, June 14, 2016 3:23 PM
    Tuesday, June 14, 2016 12:44 PM
  • Hello, 

    I found the issue :D. 

    The problem is the registry value 

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRMS\ConfigStatus that is configured in PRD environment with value 2 and on my QLT environment has value 3.

    With ConfigStatus = 3 (QLT) i have no problem installing MDE.

    With ConfigStatus = 2 (PRD) MDE gives the above error.

    Could  you please tell me what the impact of changing this value to 3? 

    Thank you 

    Tuesday, June 14, 2016 5:10 PM
  • Hello,

    Can someone help me on this?

    Thank you.

    Friday, June 17, 2016 10:01 AM
  • Hello,

    Any feedback on this?

    Monday, June 27, 2016 2:19 PM
  • Hello,

    Does anyone on this forum know the impact of changing this value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRMS\ConfigStatus to 3 or 2.

    Thank you 

    Tuesday, July 12, 2016 10:39 AM
  • Sorry for the lack of reply. I have been out of the office.

    That value should always be 3 for 2012

    Was this changed manually at some point?

    The instructions to change it to 2 are specific to the original version of 2008 so that mac Office 2011 would work.

    Tuesday, July 26, 2016 12:53 AM
  • Hello,

    The server version that i am using is Windows Server 2012 R2.

    Also i am using Office for Mac 2011 with RMS. 

    So can i change the value to 3 and continue to have the integration with Office for Mac 2011? (receive the templates, classify emails and office documents).

    My need to use MDE is to access classified information (non office documents) on MAC.

    Thanks 

    Tuesday, July 26, 2016 9:29 AM
  • Yes. the 2011 clients should hit macCertification.asmx in the regular pipeline. MDE will service the RMS Sharing App on the Mac if you are using that to open protected PDF files.

    Tuesday, July 26, 2016 10:12 PM
  • Hello,

    Thanks for the reply.

    I should also install Federation Services on the AD to use with MDE?

    Wednesday, July 27, 2016 8:47 AM
  • Yes. There is a good document in the whitepapers here:
    https://www.microsoft.com/en-us/download/details.aspx?id=40333&wa=wsignin1.0

    called Leverage the Mobile Device Extension for ADRMS

    It covers the prerequisites very well.
    It covers all scenarios, so don't let the size of it intimidate you.

    Let me know if you have questions.

    Wednesday, July 27, 2016 7:20 PM
  • Hello,

    Thanks for your answers and all your support . 

    I also tried one of your documents called "leverage-the-mobile-device-extension-for-ad-rms-on-your-premises" without sucess.  I will try again on other environment!

    Just another couple of questions regarding the on premises installation:

    1 - Did i need to have a azure account to use the on premises configuration?

    2 - Did i need to change anything in the bellow commands regarding my infrastructure config?

           For iPhone and iPad 

    PS C:\users\AzureAdmin.litware369\Desktop> Add-AdfsClient -Name "RMS Sharing App for iOS" -ClientId "9D7590FB-9536-4D87-B5AA-FAA863DCC3AB" -RedirectUri @("com.microsoft.rms-sharing-for-ios://authorize")

          For Mac Devices

    PS C:\users\AzureAdmin.litware369\Desktop> Add-AdfsClient -Name "RMS Sharing App for OSX" -ClientId "96731E97-2204-4D74-BEA5-75DCA53566C3" -RedirectUri @("com.microsoft.rms-sharing-for- osx://authorize")

    3 - Can the Federation Server Role be installed in my domain controller / active directory server?

    4 - To test  if my federation server installation is fine i just need to access the following url: https://servername.domain.xtp/adfs/ls/idpinitiatedsignon and check if i can sign in with a domain user account or do i need to do another checks?

    Thank you. 


     


    Thursday, July 28, 2016 9:56 AM
  • Hello, 

    I'm testing MDE with rms on premises. I'm also using a VPN to my test environment. I have configured all the steps. basically the steps mentioned here: https://technet.microsoft.com/en-us/library/dn673574(v=ws.11).aspx

    • Install the ADFS (I can authenticate from inside the VPN)
    • Run the Script for MDE support 
    • Run the device support lines
    • Configure the SRV records
    • Install MDE

    Meeanwhile i'm getting some errors using mac os and trying to open pfiles with the sharing app.

    For instance "Something went wrong while trying to contact Windows Azure AD Rights Management. If the problem continues contact your administrator". 

    Sometimes i got timeout errors. 

    I'm using this SRV records for inside network (int)

    Add-DnsServerResourceRecord -ZoneName "domain.int" -Srv -Name "_rmsdisco._http._tcp" -DomainName "rmsserverinside.domain.int" -Port 443 -Priority 0 -Weight 0

    Add-DnsServerResourceRecord -ZoneName "domain.int" -Srv -Name "_rmsdisco._http._tcp.rmsserverinside" -DomainName "rmsserverinside.domain.int" -Port 443 -Priority 0 -Weight 0

     

     For outside(eu). inside requests go to server one, outside requests go to server two.

     

    Add-DnsServerResourceRecord -ZoneName "domain.eu" -Srv -Name "_rmsdisco._http._tcp" -DomainName "rmsserveroutside.domain.eu" -Port 443 -Priority 0 -Weight 0

    Add-DnsServerResourceRecord -ZoneName "domain.eu" -Srv -Name "_rmsdisco._http._tcp.rmsserveroutside" -DomainName "rmsserveroutside.domain.eu" -Port 443 -Priority 0 -Weight 0

    For now i'm just testing mde with vpn connection, if i can get this to work the next step will be without vpn. But i'm not getting it with the vpn.

    Any help will be fine. Thanks

     






    • Edited by mlourenco Thursday, August 18, 2016 2:21 PM
    Thursday, August 18, 2016 2:09 PM
  • On the mac clients you might be able to look at the logs to get more information, or run a fiddler trace.

    Also for now make sure your Office 2015 version is the latest Fast Track version. We do have a problem with a recent version preventing IRM from working.

    On this mac we should gather some logs.

    We will have to unhide them first.

    To view the hidden mac files:

    1.Open Terminal found in Finder > Applications > Utilities

    2.In Terminal, paste the following: defaults write com.apple.finder AppleShowAllFiles YES

    3.Press return

    4.Hold the ‘Option/alt’ key, then right click on the Finder icon in the dock and click Relaunch.

    (To set it back use the same method, but set the command to NO)

    Gather these files which will be in (Macintosh HD)\Users\YourUser\ (You will have to unhide to see)

    • ~/Library/Containers/com.microsoft.RMS-XPCService/Data/Library/Logs/com.microsoft.RightsManagementServices-XPCService/Microsoft\ Rights\ Management\ Services/RMSService_LOG.txt

    • ~/Library/Containers/com.microsoft.RMS-XPCService/Data/Library/Logs/MSProtection/Microsoft\ Rights\ Management\ Services\MSProtection_LOG.txt

    Anything in:   

    • ~/Library/Containers/com.microsoft.Excel/Data/Library/Caches/Microsoft/uls/com.microsoft.Excel/logs/

    • ~/Library/Containers/com.microsoft.Word/Data/Library/Caches/Microsoft/uls/com.microsoft.Word/logs/

    • ~/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Microsoft/uls/com.microsoft.Outlook/logs/ 

    Friday, September 23, 2016 7:03 AM
  • Hello,

    Thanks for the reply.

    The IRM integration in working fine with Office 2011 documents. I can open protected documents, i can view the rights, i can change the permissions.

    My issue is when i try to open ppdf files in a mac computer, i get the error "Something went wrong while trying to contact Windows Azure AD Rights Management. If the problem continues, contact your administrator"

    The adfs is configured and working fine i think. I can log on on this page with the domain user: https://servername/adfs/ls/idpinitiatedsignon im also able to receive this xml file: https://servername/FederationMetadata/2007-06/FederationMetadata.xml

    I installed MDE on RMS, i run the script on adfs and authorize the sharing app for mac. I created the DNS srv server records.

    Basically using the follwing procedure and also some tips from the document leverage-the-mobile-device-extension-for-ad-rms-on-your-premises

    https://technet.microsoft.com/en-us/library/dn673574.aspx .

    The SRV records should be created in the local domain controller or in the DNS provider? I'm testing this just using a local network. 

    Also the email address have to be public or it can be a local email?

    Can someone help me on what can be wrong on this. 

    Thanks








    • Edited by mlourenco Monday, December 12, 2016 5:54 PM
    Wednesday, December 7, 2016 11:53 AM
  • On the mac clients you might be able to look at the logs to get more information, or run a fiddler trace.

    Also for now make sure your Office 2015 version is the latest Fast Track version. We do have a problem with a recent version preventing IRM from working.

    On this mac we should gather some logs.

    We will have to unhide them first.

    To view the hidden mac files:

    1.Open Terminal found in Finder > Applications > Utilities

    2.In Terminal, paste the following: defaults write com.apple.finder AppleShowAllFiles YES

    3.Press return

    4.Hold the ‘Option/alt’ key, then right click on the Finder icon in the dock and click Relaunch.

    (To set it back use the same method, but set the command to NO)

    Gather these files which will be in (Macintosh HD)\Users\YourUser\ (You will have to unhide to see)

    • ~/Library/Containers/com.microsoft.RMS-XPCService/Data/Library/Logs/com.microsoft.RightsManagementServices-XPCService/Microsoft\ Rights\ Management\ Services/RMSService_LOG.txt

    • ~/Library/Containers/com.microsoft.RMS-XPCService/Data/Library/Logs/MSProtection/Microsoft\ Rights\ Management\ Services\MSProtection_LOG.txt

    Anything in:   

    • ~/Library/Containers/com.microsoft.Excel/Data/Library/Caches/Microsoft/uls/com.microsoft.Excel/logs/

    • ~/Library/Containers/com.microsoft.Word/Data/Library/Caches/Microsoft/uls/com.microsoft.Word/logs/

    • ~/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Microsoft/uls/com.microsoft.Outlook/logs/ 

    Hello,

    The only log file that i was able to gather was the MSProtection_LOG. How can i send it to you?


    • Edited by mlourenco Tuesday, December 20, 2016 4:21 PM
    Tuesday, December 20, 2016 4:20 PM